With the release of Apples IOS 14.0, we are going to have some massive issues with blacklisting clients and ensuring devices stay connected on MAC address authenticated networks. Is there anything that meraki can roll out to help mitigate these issues?
Good point, I hadn't thought of the blacklisting. We do this in two ways, device and/or email address (if public and on splash page). Normally device isn't easy to change, but email is. Now both are essentially easy to change.
It does make it very hard to build an open public network (such as guest networks) when Apple does things like this.
The funny thing is - I think this will erode privacy - not improve it.
At the moment, you can often just connect to a public network, and the only information they have on you is a MAC address - which on its own is useless.
Now public networks are going to have to collect personally identifiable information like your name, email address, possible mobile number, and then find some way for you to prove who you are before they can give you access.
Technically you can block clients using randomization but it needs some smarts on your RADIUS server side of things. Look for the second-least-significant bit of the first octect of the MAC addr to be a 1 (this is a locally adminstered address marker) and deny it if a client matches it, look for the least significant bit to be a 0 as well if you want to specifically target unicast.
Your problem if you successfully create the policy is that users would need to know how to turn off the MAC randomization for the SSID(s) in order to be able to connect
No i totally agree. But like i said is anything available. Meraki has been a huge help in simplifying our organizations network management, it's only fitting to ask. Maybe something could be on the horizon or some suggestions for Best Practices i might not be aware of.